This creates an obvious disconnect and potentially duplicate assignments
and confusion, if researchers are being told to go to DWF for *all* OSS
assignments. For example, Apache is a CNA and has many OSS projects, but
vulnerabilities in their software should go to them, not DWF. Could MITRE
share the text that is being sent out currently?